Commit 6f7c21d3 authored by Birin Sanchez's avatar Birin Sanchez

Ansible role for a basic dovecot instance added.

Signed-off-by: Birin Sanchez's avatarBirin Sanchez <birin.sanchez@puri.sm>
parent 2a396175
Pipeline #4007 passed with stage
in 46 seconds
---
- name: Simple Dovecot role for Keel/LDH
hosts: all
become: yes
roles:
- role: ldh_dovecot
vars:
ldh_dovecot_ldap_uri: "ldap://ldap.freedom.test:389"
ldh_dovecot_ldap_base: "dc=freedom,dc=test"
LDH Dovecot
===========
Role used to install con configure [Dovecot](https://dovecot.org/) to
work with Keel/LDH LDAP. It includes these basic functionalities:
* Virtual users from LDAP.
* Non encrypted communication between Dovecot and LDAP.
* `mbox` type mail boxes stored in `/var/mail` and accessed by `mail`
user.
* No LDAP admin user needed for look-ups.
Requirements
------------
This role has only been tested with Ansible 2.7.1.
Role Variables
--------------
* `ldh_dovecot_ldap_uri`
URI used by Dovecot to connect to the LDAP server. Default value:
`ldap://ldap.freedom.test:389`.
* `ldh_dovecot_ldap_base`
Search starting point used by Dovecot when querying the
LDAP instance. Default value: `dc=freedom,dc=test`.
Dependencies
------------
This roles does not depend on other roles.
License
-------
AGPL-3.0-or-later
Author Information
------------------
Purism SPC <liberty@puri.sm>
Homepage: https://source.puri.sm/liberty/ldh_developer
---
# defaults file for ldh_dovecot
ldh_dovecot_required_pkgs:
- dovecot-imapd
- dovecot-pop3d
- dovecot-ldap
ldh_dovecot_ldap_uri: "ldap://ldap.example.com:389"
ldh_dovecot_ldap_base: "dc=example,dc=com"
##
## Authentication processes
##
# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
# See also ssl=required setting.
disable_plaintext_auth = no
# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
#auth_cache_size = 0
# Time to live for cached data. After TTL expires the cached record is no
# longer used, *except* if the main database lookup returns internal failure.
# We also try to handle password changes automatically: If user's previous
# authentication was successful, but this one wasn't, the cache isn't used.
# For now this works only with plaintext authentication.
#auth_cache_ttl = 1 hour
# TTL for negative hits (user not found, password mismatch).
# 0 disables caching them completely.
#auth_cache_negative_ttl = 1 hour
# Space separated list of realms for SASL authentication mechanisms that need
# them. You can leave it empty if you don't want to support multiple realms.
# Many clients simply use the first one listed here, so keep the default realm
# first.
#auth_realms =
# Default realm/domain to use if none was specified. This is used for both
# SASL realms and appending @domain to username in plaintext logins.
#auth_default_realm =
# List of allowed characters in username. If the user-given username contains
# a character not listed in here, the login automatically fails. This is just
# an extra check to make sure user can't exploit any potential quote escaping
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
# set this value to empty.
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
# Username character translations before it's looked up from databases. The
# value contains series of from -> to characters. For example "#@/@" means
# that '#' and '/' characters are translated to '@'.
#auth_username_translation =
# Username formatting before it's looked up from databases. You can use
# the standard variables here, eg. %Lu would lowercase the username, %n would
# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
# "-AT-". This translation is done after auth_username_translation changes.
#auth_username_format = %Lu
# If you want to allow master users to log in by specifying the master
# username within the normal username string (ie. not using SASL mechanism's
# support for it), you can specify the separator character here. The format
# is then <username><separator><master username>. UW-IMAP uses "*" as the
# separator, so that could be a good choice.
#auth_master_user_separator =
# Username to use for users logging in with ANONYMOUS SASL mechanism
#auth_anonymous_username = anonymous
# Maximum number of dovecot-auth worker processes. They're used to execute
# blocking passdb and userdb queries (eg. MySQL and PAM). They're
# automatically created and destroyed as needed.
#auth_worker_max_count = 30
# Host name to use in GSSAPI principal names. The default is to use the
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
# entries.
#auth_gssapi_hostname =
# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
# default (usually /etc/krb5.keytab) if not specified. You may need to change
# the auth service to run as root to be able to read this file.
#auth_krb5_keytab =
# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
#auth_use_winbind = no
# Path for Samba's ntlm_auth helper binary.
#auth_winbind_helper_path = /usr/bin/ntlm_auth
# Time to delay before replying to failed authentications.
#auth_failure_delay = 2 secs
# Require a valid SSL client certificate or the authentication fails.
#auth_ssl_require_client_cert = no
# Take the username from client's SSL certificate, using
# X509_NAME_get_text_by_NID() which returns the subject's DN's
# CommonName.
#auth_ssl_username_from_cert = no
# Space separated list of wanted authentication mechanisms:
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
# gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = plain
##
## Password and user databases
##
#
# Password database is used to verify user's password (and nothing more).
# You can have multiple passdbs and userdbs. This is useful if you want to
# allow both system users (/etc/passwd) and virtual users to login without
# duplicating the system users into virtual database.
#
# <doc/wiki/PasswordDatabase.txt>
#
# User database specifies where mails are located and what user/group IDs
# own them. For single-UID configuration use "static" userdb.
#
# <doc/wiki/UserDatabase.txt>
#!include auth-deny.conf.ext
#!include auth-master.conf.ext
#!include auth-system.conf.ext
#!include auth-sql.conf.ext
!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext
This diff is collapsed.
---
# handlers file for ldh_dovecot
- name: restart dovecot
service:
name: dovecot
state: restarted
galaxy_info:
author: Purism SPC
description: Basic Matrix-Synapse for LDH development.
company: Purism SPC
license: AGPL-3.0-or-later
min_ansible_version: 2.7.1
galaxy_tags:
- imap
- pop3
- dovecot
- mail
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
---
# tasks file for ldh_dovecot
- name: Install required Dovecot packages
apt:
name: "{{ ldh_dovecot_required_pkgs }}"
update_cache: yes
cache_valid_time: 600
state: present
- name: Copy config file 10-auth.conf
copy:
src: etc/dovecot/conf.d/10-auth.conf
dest: /etc/dovecot/conf.d/10-auth.conf
notify: "restart dovecot"
- name: Copy config file 10-mail.conf
copy:
src: etc/dovecot/conf.d/10-mail.conf
dest: /etc/dovecot/conf.d/10-mail.conf
notify: "restart dovecot"
- name: Copy and configure dovecot-ldap.conf.ext
template:
src: etc/dovecot/dovecot-ldap.conf.ext.j2
dest: /etc/dovecot/dovecot-ldap.conf.ext
notify: "restart dovecot"
# This file is commonly accessed via passdb {} or userdb {} section in
# conf.d/auth-ldap.conf.ext
# This file is opened as root, so it should be owned by root and mode 0600.
#
# http://wiki2.dovecot.org/AuthDatabase/LDAP
#
# NOTE: If you're not using authentication binds, you'll need to give
# dovecot-auth read access to userPassword field in the LDAP server.
# With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should
# already be something like this:
# access to attribute=userPassword
# by dn="<dovecot's dn>" read # add this
# by anonymous auth
# by self write
# by * none
# Space separated list of LDAP hosts to use. host:port is allowed too.
#hosts =
# LDAP URIs to use. You can use this instead of hosts list. Note that this
# setting isn't supported by all LDAP libraries.
uris = {{ ldh_dovecot_ldap_uri }}
# Distinguished Name - the username used to login to the LDAP server.
# Leave it commented out to bind anonymously (useful with auth_bind=yes).
#dn =
# Password for LDAP server, if dn is specified.
#dnpass =
# Use SASL binding instead of the simple binding. Note that this changes
# ldap_version automatically to be 3 if it's lower.
#sasl_bind = no
# SASL mechanism name to use.
#sasl_mech =
# SASL realm to use.
#sasl_realm =
# SASL authorization ID, ie. the dnpass is for this "master user", but the
# dn is still the logged in user. Normally you want to keep this empty.
#sasl_authz_id =
# Use TLS to connect to the LDAP server.
#tls = no
# TLS options, currently supported only with OpenLDAP:
#tls_ca_cert_file =
#tls_ca_cert_dir =
#tls_cipher_suite =
# TLS cert/key is used only if LDAP server requires a client certificate.
#tls_cert_file =
#tls_key_file =
# Valid values: never, hard, demand, allow, try
#tls_require_cert =
# Use the given ldaprc path.
#ldaprc_path =
# LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h.
# -1 = everything. You may need to recompile OpenLDAP with debugging enabled
# to get enough output.
#debug_level = 0
# Use authentication binding for verifying password's validity. This works by
# logging into LDAP server using the username and password given by client.
# The pass_filter is used to find the DN for the user. Note that the pass_attrs
# is still used, only the password field is ignored in it. Before doing any
# search, the binding is switched back to the default DN.
auth_bind = yes
# If authentication binding is used, you can save one LDAP request per login
# if users' DN can be specified with a common template. The template can use
# the standard %variables (see user_filter). Note that you can't
# use any pass_attrs if you use this setting.
#
# If you use this setting, it's a good idea to use a different
# dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as
# the filename is different in userdb's args). That way one connection is used
# only for LDAP binds and another connection is used for user lookups.
# Otherwise the binding is changed to the default DN before each user lookup.
#
# For example:
# auth_bind_userdn = cn=%u,ou=people,o=org
#
#auth_bind_userdn =
# LDAP protocol version to use. Likely 2 or 3.
#ldap_version = 3
# LDAP base. %variables can be used here.
# For example: dc=mail, dc=example, dc=org
base = {{ ldh_dovecot_ldap_base }}
# Dereference: never, searching, finding, always
#deref = never
# Search scope: base, onelevel, subtree
#scope = subtree
# User attributes are given in LDAP-name=dovecot-internal-name list. The
# internal names are:
# uid - System UID
# gid - System GID
# home - Home directory
# mail - Mail location
#
# There are also other special fields which can be returned, see
# http://wiki2.dovecot.org/UserDatabase/ExtraFields
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
user_attrs = =mail=mbox:/var/mail/%u, \
=uid=mail, \
=gid=mail
# Filter for user lookup. Some variables can be used (see
# http://wiki2.dovecot.org/Variables for full list):
# %u - username
# %n - user part in user@domain, same as %u if there's no domain
# %d - domain part in user@domain, empty if user there's no domain
#user_filter = (&(objectClass=posixAccount)(uid=%u))
user_filter = (&(objectClass=inetOrgPerson)(uid=%u))
# Password checking attributes:
# user: Virtual user name (user@domain), if you wish to change the
# user-given username to something else
# password: Password, may optionally start with {type}, eg. {crypt}
# There are also other special fields which can be returned, see
# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
#pass_attrs = uid=user,userPassword=password
pass_attrs = uid=user
# If you wish to avoid two LDAP lookups (passdb + userdb), you can use
# userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
# also have to include user_attrs in pass_attrs field prefixed with "userdb_"
# string. For example:
#pass_attrs = uid=user,userPassword=password,\
# homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid
# Filter for password lookups
#pass_filter = (&(objectClass=posixAccount)(uid=%u))
pass_filter = (&(objectClass=inetOrgPerson)(uid=%u))
# Attributes and filter to get a list of all users
#iterate_attrs = uid=user
#iterate_filter = (objectClass=posixAccount)
# Default password scheme. "{scheme}" before password overrides this.
# List of supported schemes is in: http://wiki2.dovecot.org/Authentication
#default_pass_scheme = CRYPT
---
- hosts: localhost
remote_user: root
roles:
- ldh_dovecot
\ No newline at end of file
---
# vars file for ldh_dovecot
\ No newline at end of file
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment